1. Field of the Invention
The present invention relates generally to computing devices and software for malware protection. More specifically, it relates to maintaining white lists for behavior monitoring applications on computing devices.
2. Description of the Related Art
Behavior monitoring is a critical function in many malware detection systems that are used for preventing harmful computer software from damaging computers and corrupting the data stored on them. Recently, Host-based Intrusion Detection Systems (“HIDS”), also known as behavior monitors, have been used to protect against unknown malware, such as new viruses or worms which do not have known “signatures” that can be checked. With behavior monitors the behavior of processes running on a computer is checked to determine if any of the behavior is characteristic of malware or has features that indicate that it may be malware. Behavior monitoring typically requires that a process go through an entire rule matching engine, where a process is compared against a large set of rules, to see if the process is potentially dangerous. For example, the behavior of a process such as which files it opens, in what order, which operations are performed with which files, and the like is examined. Some processes, such as compiling source code, may require so much behavior monitoring that the entire operation of a computer may come to a halt or shutdown. In other examples, copying a file or making a network connection may take a few seconds longer because of the rule matching that occurs in behavior monitoring, which is often a sufficient length of time to cause some annoyance or frustration to the user and make a negative impact.
As such, checking the behavior of nearly all processes on a computer often results in a serious performance issue on the computer. This performance impact often slows down all operations on the computer. In addition, behavior monitors that have a high detection rate may be accompanied with an increased number of false positives. However, performance overhead may be reduced with the use of exception lists, also referred to as white lists. These lists describe features and characteristics of files and processes that, if present, strongly indicate that the processes or files are very likely not malware. Many white lists are created manually by human beings based on what they experience “in the field.” This manual creation and maintenance of a white list requires constant changing and updating. Some white lists only exempt a narrow category of processes from being analyzed by a behavior monitoring system, such as only files that have a digital signature from Microsoft. Other examples are task managers or Microsoft processes. These white list entries are typically “hard coded” by a human being. A false positive in this context is a process that is harmless or safe but has been labeled by a behavior monitoring system as potential malware and, as a result, has been prevented from executing. Obviously, the more false positives there are, the more frustrating it is for the computer user, which compounds the performance overhead issue (that is, the computer is not only slow, but also the user is actually prevented from carrying out certain everyday or other normal operations).
It may also be noted that previous work in machine learning and data for detecting malware, worms in particular, include Fast Detection of Scanning Worm Infection at Harvard University. This research describes approaches that are effective for known worms (and those unknown worms with similar network behaviors) by hypothesis test algorithm. In this approach, web crawling penetration is still a significant issue, as is performance. Another research project is the Detection of Unknown Computer Worms Activity Based on Computer Behavior using Data Mining at Ben-Gurion University in Israel. The results of this research indicate a high accuracy rate on average with 20 detection categories. By increasing detection categories, the data mining can increase accuracy and the lower false positive rate. However, it may also imply that more system power needs to be input for the detection function and overall performance impact could be a concern.
The following patent and patent applications describe a fundamental mechanism for behavior monitoring. They both use system-wise monitoring and, inevitably, have performance concerns. They are: “Method and Apparatus for the Automatic Determination of Potentially Worm-Like Behavior of a Program,” U.S. Pat. No. 7,487,543, Arnold; William C., et al, assigned to IBM Corporation and “Method and Apparatus for the Automatic Determination of Potentially Worm-Like Behavior of a Program,” US Patent Application Publication No. 20080189787, Arnold; William C., et al. assigned to IBM Corporation.
It would be desirable to have a behavior monitor that does not seriously impact performance on a computer. It would also be desirable if the monitor does not needlessly prevent users from executing safe programs or tasks, and at the same time offers adequate protection from unknown and new malware.